CVE-2025-12383

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.eclipse.org/security/cve-assignment/-/issues/74	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eclipse:jersey:2.45:::::::*
	cpe:2.3:a:eclipse:jersey:3.0.16:::::::*
	cpe:2.3:a:eclipse:jersey:3.1.9:::::::*

History

16 Jan 2026, 20:09

Type	Values Removed	Values Added
First Time		Eclipse jersey Eclipse
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.4
CPE		cpe:2.3:a:eclipse:jersey:2.45:::::::* cpe:2.3:a:eclipse:jersey:3.0.16:::::::* cpe:2.3:a:eclipse:jersey:3.1.9:::::::*
References	~~() https://gitlab.eclipse.org/security/cve-assignment/-/issues/74 -~~	() https://gitlab.eclipse.org/security/cve-assignment/-/issues/74 - Issue Tracking, Vendor Advisory

18 Nov 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-18 16:15

Updated : 2026-01-16 20:09

NVD link : CVE-2025-12383

Mitre link : CVE-2025-12383

CVE.ORG link : CVE-2025-12383

JSON object : View

Products Affected

eclipse

jersey

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2025-12383", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-18T16:15:42.867", "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/74", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)"}], "lastModified": "2026-01-16T20:09:26.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jersey:2.45:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0AB3AD89-3D53-44D4-88F2-EC0B8CE4EFA7"}, {"criteria": "cpe:2.3:a:eclipse:jersey:3.0.16:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CFA26EB-7ABF-4EB7-9A1B-80D1655138E6"}, {"criteria": "cpe:2.3:a:eclipse:jersey:3.1.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34463160-4787-4959-8DE9-E97E759D1A71"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}